ASA FAILOVER PAIR HW REPLACEMENT

lcuchisanmillan · ‎05-23-2010

Hi all,

We have a pair of ASAs and the standby has to be replaced it, I have not found many documents about the replacement process so I have some questions:

1- The failover configuration in the primary device is:

     failover
     failover lan unit primary
     failover lan interface FAILOVER Management0/0
     failover key *****
     failover link FAILOVER Management0/0
     failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2

I think that the configuration in the RMA ASA should be:

     failover lan unit secondary
     failover lan interface FAILOVER Management0/0
     failover key *****
     failover link FAILOVER Management0/0
     failover interface ip FAILOVER X.X.X.1 255.255.255.252 standby X.X.X.2

failover

The only problem is that we not have failover key and I only see it encrypted, is there a way to see the failover key in plan text or do I need to generate a new key?

2- The second issue is about the licenses, the broken ASA has a license activated on it with its corresponding activation-key. As I understand, this activation-keys are related to the chassis S/N and I think that the new ASA will not accept the activation-key of the broken one, what I have to do to have the new ASA activated with the same license that the broken one has?

3 - Lastly, the ASAs cluster have an ASA-SSM card installed on each ASA, when I replace the broken one for the new ASA, just removing the SSM card from the broken ASA and installing it in the new is necesary? Or do I have to do something else like?

Thank you very much,

Jennifer Halim · ‎05-23-2010

1. You can get the failover key by issuing the following:

more system:running-config | i failover

2. Once you received the RMA ASA, you would need to send email to licensing@cisco.com, provide the show version output from the failed ASA, and requested activation key for the RMA ASA (provide the serial# of the RMA ASA too).

3. Yes, once you received the RMA ASA, please move the SSM card from the failed ASA to the RMA ASA.

Hope that confirms everything.

lcuchisanmillan · ‎05-25-2010

Hello halijen,

Thank you for your response.

Before changing the failed ASA, we tried to load an image in ROMMON via tftp. We were lucky and we wer able to load it, but all the configuration and activation keys wer lost.

We tried to do a dir all: but the disk0: were all the images were supposed to be did not appear so we think thet the memory is corrupted and we are going to change it by a new one.

ciscoasa# dir all

Directory of system:/

1 ---- 0 00:00:00 Jan 01 1970 running-config

No space information available

The thing is that I tried to configure andenable the failover in the "broken ASA" and I was not able because of the licenses:

     ciscoasa# Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled.
     Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled.
     Mate's license (VPN-3DES-AES Enabled) is not compatible with my license (VPN-3DES-AES Disabled). Failover will be disabled.
     Mate's license (2 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(2)

     Compiled on Wed 22-Nov-06 14:16 by builders
     System image file is "tftp://1.1.1.9/asa722-k8.bin"
     Config file at boot was "startup-config"
     .......

     Licensed features for this platform:
     Maximum Physical Interfaces : Unlimited
     Maximum VLANs               : 150
     Inside Hosts                : Unlimited
     Failover                    : Active/Active
     VPN-DES                     : Enabled
     VPN-3DES-AES                : Disabled
     Security Contexts           : 2
     GTP/GPRS                    : Disabled
     VPN Peers                   : 750
     WebVPN Peers                : 2

This platform has an ASA 5520 VPN Plus license.

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1

Are these logs only because VPN Plus license is not activated with the activation key? or do I have to activate anything else?

O would like to know if it would have same problems with the new ASA. Here is a sh ver of the primary ASA that is working fine:

     Licensed features for this platform:
     Maximum Physical Interfaces : Unlimited
     Maximum VLANs               : 150
     Inside Hosts                : Unlimited
     Failover                    : Active/Active
     VPN-DES                     : Enabled
     VPN-3DES-AES                : Enabled
     Security Contexts           : 2
     GTP/GPRS                    : Disabled
     VPN Peers                   : 750
     WebVPN Peers                : 2

This platform has an ASA 5520 VPN Plus license.

Thank you,

Panos Kampanakis · ‎05-25-2010

It seems the RMAed ASA does not have a 3DES license.

Please make sure you call in and you ask for your old 3DES license of the old unit is rehosted for the RMAed ASA.

I hope it helps.

PK

segap · ‎05-28-2018

On active ASA do the following:

1. changeto system

2. copy running-config disk0:system.cfg

3. more disk0:/system.cfg

With 3rd command you'll can see the failover key in clear text.

For security reason, after that delete the file:

4. delete disk0:/system.cfg